Perform access control based on tenant-level roles - MaxCompute

MaxCompute supports tenant-level permission management, which allows you to manage permissions on specific objects such as quotas and network connections. This topic describes how to perform access control based on tenant-level roles and how to manage permissions. This topic also describes SQL statements that are related to permissions.

Background information

All operation permissions on MaxCompute objects such as projects, tables, functions, resources, and instances are managed at the project level. Permissions on a project can be granted to a user only after the user is added to the project. This topic describes how to assign a role to a tenant and grant required operation permissions on specific objects, such as quotas and network connections, to the role by using policies.

Limits

Only Alibaba Cloud accounts or RAM users that are assigned the tenant-level Super_Administrator or Admin role can perform access control based on tenant-level roles.
Tenant-level permissions can be managed only by tenant-level roles.
Authorization for tenant-level roles can be performed only by using policies.

Flowchart for access control based on tenant-level roles

Create the tenant-level role t_role1.
Grant permissions to the tenant-level role t_role1 by using policies.
Add a user to the tenant-level role t_role1.
Assign the tenant-level role t_role1 to the user.

Statements that are related to tenant-level permissions

SQL statements that are related to permissions

-- The following statements can be executed for the projects on which a specified tenant is granted operation permissions. 

-- Add or remove a user to or from a tenant.
    Add tenant user <user_name>;
    Remove tenant user <user_name>;
-- View users and roles in the tenant.
    List tenant users;
    List tenant roles;
-- Create or drop a tenant-level role.
    Create tenant role <role_name>;
    drop tenant role <role_name>;
-- Assign a tenant-level role to a user or revoke a tenant-level role from a user.
    Grant tenant role <rolename> to user <user_name>;
    Revoke tenant role <rolename> from user <user_name>;

-- Add or remove a tenant-level role to or from a project.
    add tenant role <rolename> to project <projectname>;
    remove tenant role <rolename> from project <projectname>;

-- View the permissions of a tenant-level role or user.
    Show grants for tenant role <role_name>;
    Show grants for tenant user <user_name>;
    Show principals for tenant [role] <role_name>;

Manage tenant-level permissions in the MaxCompute console

Create a tenant-level role.

Log on to the MaxCompute console, and select a region in the upper-left corner.
In the left-side navigation pane, click Tenant Management.
On the Tenant Management page, click the Roles tab.
Click the Roles tab. On the Roles tab, click Create Role.

In the Create Role dialog box, configure the parameters. The following table describes the parameters.

Parameter

Description

Role Name

The name of the role. The name must be unique within your Alibaba Cloud account. When you specify a name for the role, make sure that the name meets the following conditions:

The name starts with a letter.
The name contains only letters, underscores (_), or digits.
The name is 6 to 64 characters in length.

Policy

The policy that you want to attach to the role. You can write code for the policy based on the policy template that is provided.

The following sample code shows two policies: The CreateNetworkLink and Execute operations that can be performed on all network connections are allowed. The Usage operation that can be performed on all quotas in all regions is allowed.

{
    "Statement":[
        {
            "Action":[
                "odps:CreateNetworkLink",
                "odps:List",
                "odps:Execute"
            ],
            "Effect":"Allow",
            "Resource":[
                "acs:odps:*:networklinks/*"
            ]
        },
        {
            "Action":[
                "odps:Usage"
            ],
            "Effect":"Allow",
            "Resource":[
                "acs:odps:*:regions/*/quotas/*"
            ]
        }
    ],
    "Version":"1"
}

Click OK. If the role is displayed in the role list, the role is created. For more information about role authorization, see Perform access control based on tenant-level roles.
On the Tenant Management page, click the Users tab to manage tenant-level users. You can add RAM users within the current Alibaba Cloud account and assign tenant-level roles to the RAM users.

Manage tenant-level roles.
1. Log on to the MaxCompute console, and select a region in the upper-left corner.
2. In the left-side navigation pane, click Tenant Management.
3. On the Tenant Management page, click the Roles tab.
4. Find a desired role and click Manage Permissions in the Actions column to view or modify the role or click Delete in the Actions column to delete the role based on your business requirements.
Manage tenant-level users.
1. Log on to the MaxCompute console, and select a region in the upper-left corner.
2. In the left-side navigation pane, click Tenant Management.
3. On the Tenant Management page, click the Users tab.
  You can manage tenant-level users. For example, you can add RAM users within your Alibaba Cloud account to a tenant and assign tenant-level roles to the RAM users.